Support Questions
Find answers, ask questions, and share your expertise
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Sentry / Impala: Grant read permissions to all databases

Sentry / Impala: Grant read permissions to all databases

Expert Contributor

Hi community,

 

I got CDH 5.16 and a cluster with Impala / Hive / Sentry (database-backed) set up.

 

In Impala, I got different databases and want to define policies so that a group / role can access all databases read-only.

 

I tried this Grant but it does not work:

 

"GRANT SELECT ON DATABASE ALL TO ROLE my_role;"

 

 

How can I define SELECT-permissions for all databases in Sentry?

 

Thanks!

Benjamin

6 REPLIES 6
Highlighted

Re: Sentry / Impala: Grant read permissions to all databases

Expert Contributor

Quite strangely, the same GRANT Query seems to work when running through HiveServer2 (e.g. using beeline). Is this an Impala Bug?

Re: Sentry / Impala: Grant read permissions to all databases

New Contributor

Hi,

 

are you using the same user from Impala and Hive?

 

if your cluster is not kerberized and from Impala-shell you run as 'impala' user and from beeline as 'hive' user, it´s possible that your user 'impala' doesn´t belongs to sentry´s admins groups.

 

You can check those groups in property "sentry.service.admin.group" in Sentry service.

 

It could be a possibility...

Re: Sentry / Impala: Grant read permissions to all databases

Expert Contributor

Hi,

 

I am using the same user for the access both from Hive and Impala. Besides, both users are in the Sentry admin group list.

 

Best

Benjamin

Re: Sentry / Impala: Grant read permissions to all databases

New Contributor

Hi,

 

in that case, it could be possible that you have not enabled the Sentry Service from Impala?

 

If you have a similar message like this:

 "Authorization is not enabled. To enable authorization restart Impala with the --server_name=<name> flag."

In Cloudera Manager the property "Sentry Service" might be to none and you can execute Sentry admin commands until you configure it and restart Impala.

 

Regards.

 

Re: Sentry / Impala: Grant read permissions to all databases

Expert Contributor

Nope Sentry is set up and all other grants work. It is only the SELECT GRANT that makes problems and does not work in Impala.

Re: Sentry / Impala: Grant read permissions to all databases

New Contributor

Sorry, I thought your problem could be about configuration.

 

But you´re right, it looks like impala-shell doesn´t support the the clausule ALL (neither *) to refer to "ALL DATABASES".

You can specify "default" DATABASE or a particular DATABASE, but not all at one time:

 

 

ERROR: AnalysisException: Syntax error in line 1:
GRANT ALL ON TABLE ALL TO ROLE rol_auditors
                   ^
Encountered: ALL
Expected: DEFAULT, IDENTIFIER

CAUSED BY: Exception: Syntax error

 

and from beeline it works fine.

 

In my opinion, I think it doesn´t a bug, only that they have not implemented this option from impala-shell.

 

I'm sorry I could not help you.

Regards.